SAN FRANCISCO — Over the last nine months, dozens of U.S. power companies were compromised by an organized hacking group to the extent that some of them could have sabotaged and shut down production and distribution, according to Symantec, a cybersecurity company that discovered the attack.

In some cases, this involved access to details about how the company operated, engineering plans and equipment, in some cases even down to the level of controlling valves, pipes or conveyer belts, said Vikram Thakur, principal research manager at Symantec, which discovered the intrusions and first published information about them in a blog posting Wednesday.
The level of access could have led to “pretty strong impacts,” said Thakur. “It could have taken out the business for a period of a day or two or maybe a month,” he said.

The core focus seems to have been companies that focus on power generation, transmission and distribution, Symantec said.

These attacks come as no surprise to anyone who’s worked in intelligence, said Joel Brenner. He was head of U.S. counterintelligence under the Director of National Intelligence from 2006 to 2008 and then Inspector General of the National Security Agency from 2009 – 2010. He is now a senior research fellow at the Massachusetts Institute of Technology.
The aim is to make clear to the United States that its systems are vulnerable and thus make the president think twice before engaging in any kind of military action, with the looming threat of darkened cities a possibility, he said.

“I think preparation for a potential attack is what we’re seeing. And whoever’s doing this, presumably the Russians, want us to know. People in the intelligence business always say that when the Russians are found, it’s because they want to be found.”

There are already examples of power companies being attacked by hackers and the lights going out. In 2015 and 2016 hackers disrupted Ukraine’s power grid, causing blackouts that hit more than 200,000 people. The Ukrainian government has blamed Russian-supported hackers for the attacks.

Why things didn't go that far in this case is unknown, though Symantec believes it might have been a "proof of concept" attack, simply to prove to whatever government or organization was sponsoring the attackers that they had the capability.

“This confirms, again, that advanced adversaries are targeting and gaining access to the world's critical infrastructure” said Galina Antova, co-founder, Claroty, a company that provides security for industrial control networks.

“This gives bad actors the ability to harm our systems and possibly people when they choose — as a political statement, during the next conflict, before or during a war,” she said.

The Department of Homeland Security said it was aware of the Symantec report and was reviewing it.

"At this time there is no indication of a threat to public safety. We continue to coordinate with government and private sector partners to look into this activity," the agency said in a statement.

The North American Electric Reliability Corporation is aware of the threat and is sharing information with industry and government partners, said Bill Lawrence, director of NERC's Electricity Information Sharing and Analysis Center.

"At this time, there are no impacts on the operation or reliability of the bulk power system in North America. NERC continues to monitor potential cyber security risks to reliability and share information with security stakeholders on emerging and evolving threats,” he said.

Dragonfly

The ongoing attack appears to be the work of a group that Symantec and others first reported was targeting the energy sector beginning in 2011. Symantec dubbed it Dragonfly. CrowdStrike, which reported on the group in 2014, called it Energetic Bear and suggested it might have links to Russia.

Once the report went public in 2014, the group went dark. Then it appeared again in 2015, focused on Turkish energy companies that it continued to infiltrate through 2016, Thakur said.

Beginning in January, the attackers turned their attention to the United States and Switzerland. The initial attacks came through simple email phishing campaigns that got them into company networks, Symantec researchers found.

That led to two years of research and the discovery that Dragonfly 2.0 had penetrated “dozens” of companies.

“It’s still an ongoing campaign,” Thakur said.

Symantec shared information about the attackers with the companies and others who might have been impacted, but did not release their names in its public blog. Thakur said he has personally called between 50 and 75 energy companies in the past few months to warn them.

Thakur believes that energy-related companies have also been probed by the Dragonfly group, including companies that do commodity trading, finance organizations and investment groups.

The hackers appear to have made a concerted effort to make it difficult to identify them by using only open source and readily-available malware that wouldn’t pinpoint their location.
Critical infrastructure is being targeted with complex, well-resourced cyber attacks, said Josh Douglas, chief strategy officer for cyber services at Raytheon, a major U.S. defense contractor and industrial corporation.

The attributes of the Dragonfly attack are similar to those perpetrated by nation-states with deep pockets and long-term goals.

“They have invested strongly in their capabilities — some of which we have yet to see — and that we may not yet know the full extent of this attack,” said Douglas.